From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: Szabolcs Nagy via Libc-alpha <libc-alpha@sourceware.org>
Subject: Re: [PATCH 16/20] Fix malloc/tst-scratch_buffer OOB access
Date: Fri, 28 Oct 2022 12:24:00 +0100 [thread overview]
Message-ID: <Y1u70FoFT0KeMVEw@arm.com> (raw)
In-Reply-To: <87zgdgh5du.fsf@oldenburg.str.redhat.com>
The 10/28/2022 07:41, Florian Weimer wrote:
> * Szabolcs Nagy via Libc-alpha:
>
> test used scratch_buffer_dupfree incorrectly:
> >
> > - The passed in size must be <= buf.length.
> > - Must be called at most once on a buf object since it frees it.
> > - After it is called buf.data and buf.length must not be accessed.
> >
> > All of these were violated, the test happened to work because the
> > buffer was on the stack, which meant the test copied out-of-bounds
> > bytes from the stack into a new buffer and then compared those bytes.
> >
> > Run one test and avoid the issues above.
> > ---
> > malloc/tst-scratch_buffer.c | 22 +++++++---------------
> > 1 file changed, 7 insertions(+), 15 deletions(-)
> >
> > diff --git a/malloc/tst-scratch_buffer.c b/malloc/tst-scratch_buffer.c
> > index 9fcb11ba2c..60a513ccc6 100644
> > --- a/malloc/tst-scratch_buffer.c
> > +++ b/malloc/tst-scratch_buffer.c
> > @@ -155,21 +155,13 @@ do_test (void)
> > struct scratch_buffer buf;
> > scratch_buffer_init (&buf);
> > memset (buf.data, '@', buf.length);
> > -
> > - size_t sizes[] = { 16, buf.length, buf.length + 16 };
> > - for (int i = 0; i < array_length (sizes); i++)
> > - {
> > - /* The extra size is unitialized through realloc. */
> > - size_t l = sizes[i] > buf.length ? sizes[i] : buf.length;
> > - void *r = scratch_buffer_dupfree (&buf, l);
> > - void *c = xmalloc (l);
> > - memset (c, '@', l);
> > - TEST_COMPARE_BLOB (r, l, buf.data, l);
> > - free (r);
> > - free (c);
> > - }
> > -
> > - scratch_buffer_free (&buf);
> > + size_t l = 16 <= buf.length ? 16 : buf.length;
> > + void *r = scratch_buffer_dupfree (&buf, l);
> > + void *c = xmalloc (l);
> > + memset (c, '@', l);
> > + TEST_COMPARE_BLOB (r, l, c, l);
> > + free (r);
> > + free (c);
> > }
> > return 0;
> > }
>
> I think we should keep the test loop, but create a new scratch buffer on
> each iteration.
given the documentation of scratch_buffer_dupfree
i don't see how the test supposed to work with
sizes > buf.length or what's the point of this loop.
next prev parent reply other threads:[~2022-10-28 11:24 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-27 15:32 [PATCH 00/20] patches from the morello port Szabolcs Nagy
2022-10-27 15:32 ` [PATCH 01/20] Fix OOB read in stdlib thousand grouping parsing [BZ #29727] Szabolcs Nagy
2022-10-27 15:38 ` Andreas Schwab
2022-10-27 15:32 ` [PATCH 02/20] scripts: Use bool in tunables initializer Szabolcs Nagy
2022-10-27 16:29 ` Florian Weimer
2022-10-27 15:32 ` [PATCH 03/20] aarch64: Don't build wordcopy Szabolcs Nagy
2022-10-27 16:59 ` Adhemerval Zanella Netto
2022-10-27 15:32 ` [PATCH 04/20] aarch64: Fix the extension header write in getcontext and swapcontext Szabolcs Nagy
2022-10-28 14:03 ` Adhemerval Zanella Netto
2022-10-27 15:32 ` [PATCH 05/20] Fix invalid pointer dereference in wcscpy_chk Szabolcs Nagy
2022-10-28 5:34 ` Florian Weimer
2022-10-27 15:32 ` [PATCH 06/20] Fix invalid pointer dereference in wcpcpy_chk Szabolcs Nagy
2022-10-28 5:45 ` Florian Weimer
2022-10-27 15:32 ` [PATCH 07/20] Use uintptr_t in fts for pointer alignment Szabolcs Nagy
2022-10-31 16:08 ` Adhemerval Zanella Netto
2022-10-27 15:32 ` [PATCH 08/20] malloc: Use uintptr_t " Szabolcs Nagy
2022-10-31 16:09 ` Adhemerval Zanella Netto
2022-10-27 15:32 ` [PATCH 09/20] malloc: Use uintptr_t in alloc_buffer Szabolcs Nagy
2022-10-27 16:15 ` Florian Weimer
2022-10-27 15:33 ` [PATCH 10/20] malloc: Fix alignment logic in obstack Szabolcs Nagy
2022-10-31 16:14 ` Adhemerval Zanella Netto
2022-11-01 9:43 ` Szabolcs Nagy
2022-11-01 13:07 ` Adhemerval Zanella Netto
2022-10-27 15:33 ` [PATCH 11/20] elf: Fix alloca size in _dl_debug_vdprintf Szabolcs Nagy
2022-10-28 5:31 ` Florian Weimer
2022-10-28 13:56 ` Adhemerval Zanella Netto
2022-10-28 14:43 ` Szabolcs Nagy
2022-10-28 14:48 ` Adhemerval Zanella Netto
2022-10-27 15:33 ` [PATCH 12/20] Fix the symbolic link of multilib dirs Szabolcs Nagy
2022-10-27 15:33 ` [PATCH 13/20] Use uintptr_t in string/tester for pointer alignment Szabolcs Nagy
2022-10-28 14:11 ` Adhemerval Zanella Netto
2022-10-27 15:33 ` [PATCH 14/20] Fix off-by-one OOB write in iconv/tst-iconv-mt Szabolcs Nagy
2022-10-28 5:39 ` Florian Weimer
2022-10-27 15:33 ` [PATCH 15/20] Fix off-by-one OOB read in elf/tst-tls20 Szabolcs Nagy
2022-10-28 5:36 ` Florian Weimer
2022-10-27 15:33 ` [PATCH 16/20] Fix malloc/tst-scratch_buffer OOB access Szabolcs Nagy
2022-10-28 5:41 ` Florian Weimer
2022-10-28 11:24 ` Szabolcs Nagy [this message]
2022-10-28 11:30 ` Florian Weimer
2022-10-28 12:23 ` Szabolcs Nagy
2022-10-28 12:27 ` Florian Weimer
2022-10-27 15:33 ` [PATCH 17/20] Fix missing NUL terminator in stdio-common/scanf13 test Szabolcs Nagy
2022-10-28 5:44 ` Florian Weimer
2022-10-27 15:33 ` [PATCH 18/20] Fix elf/tst-dlmopen-twice to support enough link namespaces Szabolcs Nagy
2022-10-27 16:24 ` Florian Weimer
2022-10-27 16:45 ` Szabolcs Nagy
2022-10-27 16:51 ` Florian Weimer
2022-10-27 16:47 ` Adhemerval Zanella Netto
2022-10-27 15:33 ` [PATCH 19/20] Fix resource/bug-ulimit1 test Szabolcs Nagy
2022-10-27 16:48 ` Adhemerval Zanella Netto
2022-10-27 15:34 ` [PATCH 20/20] Fix stdlib/test-dlclose-exit-race to not hang Szabolcs Nagy
2022-10-27 16:22 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y1u70FoFT0KeMVEw@arm.com \
--to=szabolcs.nagy@arm.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).